Signals intelligence (often contracted to
SIGINT) is intelligence-gathering
by interception of signals, whether between people
(COMINT,
or communications intelligence), whether involving electronic
signals not directly used in communication (ELINT, or electronic
intelligence), or combinations of the two. As sensitive information
is often encrypted,
signals intelligence often involves the use of cryptanalysis.
Also, traffic
analysis — the study of who is signaling whom and in what
quantity — can often produce valuable information, even when
the messages themselves cannot be decrypted.

History

Intercepting written but encrypted communications, and
extracting information, probably did not wait long after the
development of writing. A
simple encryption system, for example, is the Caesar cipher.
Electronic interception appeared as early as 1900, during the Boer War.
The Boers had captured some British radios, and, since the
British were the only people transmitting at the time, no special
interpretation of the signals was necessary.[1]

The JCS definition may overemphasize "foreign instrumentation
signals". That part should be considered in combination with MASINT, which
is closely linked to foreign instrumentation such as telemetry or radionavigation. An ELINT sensor may find a
radar, and then cue (i.e., guide) a COMINT sensor for
listening in on the talk between the radar and its remote users. A
nonspecific SIGINT sensor can cue a
Frequency
Domain MASINT sensor that can help identify the purpose of the
signal. If MASINT cannot identify the signal, then the intelligence
organization may task an IMINT
aircraft or satellite to take a picture of the source, so photo
interpreters can try to understand its functions.

Being a broad field, SIGINT has many sub-disciplines. The two
main ones are COMmunications
INTelligence (COMINT) and
ELectronic INTelligence (ELINT).
There are, however, some techniques that can apply to either
branch, as well as to assist FISINT or MASINT.

Disciplines shared
across the branches

Advertisements

Targeting

A collection system has to know to look for a particular signal.
"System", in this context, has several nuances. Targeting is an
output of the process of developing collection
requirements:

"1. An intelligence need considered in the allocation of
intelligence resources. Within the Department of Defense, these
collection requirements fulfill the essential elements of
information and other intelligence needs of a commander, or an
agency.

"2. An established intelligence need, validated against the
appropriate allocation of intelligence resources (as a requirement)
to fulfill the essential elements of information and other
intelligence needs of an intelligence consumer."[2]

Need for multiple,
coordinated receivers

First, atmospheric conditions, sunspots, the target's transmission schedule
and antenna characteristics, and other factors create uncertainty
that a given signal intercept sensor will be able to "hear" the
signal of interest, even with a geographically fixed target and an
opponent making no attempt to evade interception. Basic
countermeasures against interception include frequent changing of
radio
frequency, polarization, and other
transmission characteristics. An intercept aircraft could not get
off the ground if it had to carry antennas and receivers for every
possible frequency and signal type to deal with such
countermeasures.

Second, locating the transmitter's position is usually part of
SIGINT. Triangulation and more sophisticated
radio location techniques, such as time of arrival methods, require
multiple receiving points at different locations. These receivers
send location-relevant information to a central point, or perhaps
to a distributed system in which all participate, such that the
information can be correlated and a location computed.

Intercept
management

Modern SIGINT systems, therefore, have substantial
communications among intercept platforms. Even if some platforms
are clandestine, there is a broadcast of information telling them
where and how to look for signals.[3]
A U.S. targeting system under development in the late 1990s, PSTS,
constantly sends out information that helps the interceptors
properly aim their antennas and tune their receivers. Larger
intercept aircraft, such as the EP-3 or RC-135, have the on-board capability to do
some target analysis and planning, but others, such as the RC-12 GUARDRAIL, are
completely under ground direction. GUARDRAIL aircraft are fairly
small, and usually work in units of three to cover a tactical
SIGINT requirement, where the larger aircraft tend to be assigned
strategic/national missions.

Before the detailed process of targeting begins, someone has to
decide there is a value in collecting information about something.
While it would be possible to direct signals intelligence
collection at a major sports event, the systems would capture a
great deal of noise, news signals, and perhaps announcements in the
stadium. If, however, an anti-terrorist organization believed that
a small group would be trying to coordinate their efforts, using
short-range unlicensed radios, at the event, SIGINT targeting of
radios of that type would be reasonable. Targeting would not know
where in the stadium the radios might be, or the exact frequency
they are using; those are the functions of subsequent steps such as
signal detection and direction finding.

Once the decision to target is made, the various interception
points need to cooperate, since resources are limited. Knowing what
interception equipment to use becomes easier when a target country
buys its radars and radios from known manufacturers, or is given
them as part of foreign military aid. National intelligence
services keep libraries of devices manufactured by their own
country and others, and then use a variety of techniques to learn
what equipment is acquired by a given country.

Knowledge of physics and electronic engineering further narrows
the problem of what types of equipment might be in use. An
intelligence aircraft flying well outside the borders of another
country will listen for long-range search radars, not short-range
fire control radars that would be used by a mobile air defense.
Soldiers scouting the front lines of another army know that the
other side will be using radios that must be portable and not have
huge antennas.

Signal
detection

Even if a signal is human communications (e.g., a radio), the
intelligence collection specialists have to know it exists. If the
targeting function described above learns that a country has a
radar that operates in a certain frequency range, the first step is
to use a sensitive receiver, with one or more antennas that listen
in every direction, to find an area where such a radar is
operating. Once the radar is known to be in the area, the next step
is to find its location.

If operators know the probable frequencies of transmissions of
interest, they may use a set of receivers, preset to the
frequencies of interest. These are the frequency (horizontal axis)
versus power (vertical axis) produced at the transmitter, before
any filtering of signals that do not add to the information being
transmitted. Received energy on a particular frequency may start a
recorder, and alert a human to listen to the signals if they are
intelligible (i.e., COMINT). If the frequency is not known, the
operators may look for power on primary or sideband frequencies using a spectrum
analyzer. Information from the spectrum analyzer is then used
to tune receivers to signals of interest. For example, in this
simplified spectrum, the actual information is at 800 kHz and
1.2 MHz.

Hypothetical displays from four spectrum analyzers connected to
directional antennas. The transmitter is at bearing 090
degrees.

Real-world transmitters and receivers usually are directional.
In the figure to the left, assume that each display is connected to
a spectrum analyzer connected to a directional antenna aimed in the
indicated direction.

Countermeasures to
interception

Spread-spectrum communications is an electronic
counter-countermeasures (ECCM) technique to defeat looking for
particular frequencies. Spectrum analysis can be used in a
different ECCM way to identify frequencies not being jammed or not
in use.

Direction-finding

The earliest, and still common, means of direction
finding is to use directional antennas as goniometers, so that a line can be drawn
from the receiver through the position of the signal of interest.
See HF/DF.
Knowing the compass bearing, from a single point, to the
transmitter does not locate it. Where the bearings from multiple
points, using goniometry, are plotted on a map, the transmitter
will be located at the point where the bearings intersect. This is
the simplest case; a target may try to confuse listeners by having
multiple transmitters, giving the same signal from different
locations, switching on and off in a pattern known to their user
but apparently random to the listener.

Individual directional antennas have to be manually or
automatically turned to find the signal direction, which may be too
slow when the signal is of short duration. One alternative is the
Wullenweber array
technique. In this method, several concentric rings of antenna
elements simultaneously receive the signal, so that the best
bearing will ideally be clearly on a single antenna or a small set.
Wullenweber arrays for high-frequency signals are enormous,
referred to as "elephant cages" by their users.

An alternative to tunable directional antennas, or large
omnidirectional arrays such as the Wullenweber, is to measure the
time of
arrival of the signal at multiple points, using GPS or a similar method to have
precise time synchronization. Receivers can be on ground stations,
ships, aircraft, or satellites, giving great flexibility.

Modern anti-radiation missiles can home
in on and attack transmitters; military antennas are rarely a safe
distance from the user of the transmitter.

Traffic
analysis

When locations are known, usage patterns may emerge, and
inferences drawn. Traffic analysis is the discipline of
drawing patterns from information flow among a set of senders and
receivers, whether those senders and receivers are designated by
location determined through direction finding, by addressee and
sender identifications in the message, or even MASINT techniques for
"fingerprinting" transmitters or operators. Message content, other
than the sender and receiver, is not necessary to do traffic
analysis, although more information can be helpful.

For example, if a certain type of radio is known to be used only
by tank units, even if the position is not precisely determined by
direction finding, it may be assumed that a tank unit is in the
general area of the signal. Of course, the owner of the transmitter
can assume someone is listening, so might set up tank radios in an
area where he wants the other side to believe he has actual tanks.
As part of Operation Quicksilver,
part of the deception
plan for the invasion of Europe at the Battle of
Normandy, radio transmissions simulated the headquarters and
subordinate units of the fictitious First United States Army
Group (FUSAG), commanded by George S. Patton, to make the German
defense think that the main invasion was to come at another
location. In like manner, fake radio transmissions from Japanese
aircraft carriers, before the Battle of Pearl
Harbor, were made from Japanese local waters, while the
attacking ships moved under strict radio silence.

Traffic analysis need not focus on human communications. For
example, if the sequence of a radar signal, followed by an exchange
of targeting data and a confirmation, followed by observation of
artillery fire, this may identify an automated counterbattery
system. A radio signal that triggers navigational beacons could be
a landing aid system for an airstrip or helicopter pad that is
intended to be low-profile.

Patterns do emerge. Knowing a radio signal, with certain
characteristics, originating from a fixed headquarters may be
strongly suggestive that a particular unit will soon move out of
its regular base. The contents of the message need not be known to
infer the movement.

There is an art as well as science of traffic analysis. Expert
analysts develop a sense for what is real and what is deceptive.
Harry Kidder, for example, was one of the star cryptanalysts of
World War II, a star hidden behind the secret curtain of
SIGINT.[4]

Electronic Order of
Battle

Generating an Electronic order of battle (EOB)
requires identifying SIGINT emitters in an area of interest,
determining their geographic location or range of mobility,
characterizing their signals, and, where possible, determining
their role in the broader organizational order of battle. EOB covers both COMINT
and ELINT.[5] The Defense Intelligence Agency
maintains an EOB by location. The Joint Spectrum Center (JSC) of
the Defense Information
Systems Agency supplements this location database with five
more technical databases:

FRRS: Frequency Resource Record System

BEI: Background Environment Information

SCS: Spectrum Certification System

EC/S: Equipment Characteristics/Space

TACDB: platform lists, sorted by nomenclature, which contain
links to the C-E equipment complement of each platform, with links
to the parametric data for each piece of equipment, military unit
lists and their subordinate units with equipment used by each
unit.

EOB and related data flow

For example, several voice transmitters might be identified as
the command net (i.e., top commander and direct reports) in a tank
battalion or tank-heavy task force. Another set of transmitters
might identify the logistic net for that same unit. An inventory of
ELINT sources might identify the medium- and long-range counter-artillery radars in a
given area,

Signals intelligence units will identify changes in the EOB,
which might indicate enemy unit movement, changes in command
relationships, and increases or decreases in capability.

Using the COMINT gathering method enables the intelligence
officer to produce an electronic order of battle by traffic
analysis and content analysis among several enemy units. For
example, if the following messages were intercepted:

U1 from U2, requesting permission to proceed to checkpoint
X.

U2 from U1, approved. please report at arrival.

(20 minutes later) U1 from U2, all vehicles have arrived to
checkpoint X.

This sequence shows that there are two units in the battlefield,
unit 1 is mobile, while unit 2 is in a higher hierarchical level,
perhaps a command post. One can also understand that unit 1 moved
from one point to another which are distant from each 20 minutes
with a vehicle. If these are regular reports over a period of time,
they might reveal a patrol pattern. Direction-finding and radiofrequency MASINT could help
confirm that the traffic is not deception.

The EOB buildup process is divided as following:

Signal separation

Measurements optimization

Data Fusion

Networks build-up

Separation of the intercepted spectrum and the signals
intercepted from each sensors must take place in an extremely small
period of time, in order to separate the deferent signals to
different transmitters in the battlefield. The complexity of the
separation process depends on the complexity of the transmission
methods (e.g., hopping or time division multiple
access (TDMA)).

By gathering and clustering data from each sensor, the
measurements of the direction of signals can be optimized and get
much more accurate then the basic measurements of a standard direction
finding sensor.[6]
By calculating larger samples of the sensor's output data in near
real-time, together with historical information of signals, better
results are achieved.

Data fusion correlates data samples from different frequencies
from the same sensor, "same" being confirmed by direction
finding or radiofrequency MASINT. If an
emitter is mobile, direction finding, other than discovering a
repetitive pattern of movement, is of limited value in determining
if a sensor is unique. MASINT then becomes more informative, as
individual transmitters and antennas may have unique side lobes,
unintentional radiation, pulse timing, etc.

Network build-up among between each emitter
(communication transmitter) to another enables creation of the
communications flows of a battlefield.[7]

COMINT

COMINT (Communications Intelligence) is a sub-category of
signals intelligence that engages in dealing with messages or voice
information derived from the interception of foreign
communications. It should be noted that COMINT is commonly referred
to as SIGINT, which can cause confusion when talking about the
broader intelligence disciplines. The US Joint Chiefs of Staff
defines it as "Technical information and intelligence derived from
foreign communications by other than the intended recipients".[2]

COMINT, which is defined to be communications among people, will
reveal some or all of the following:

Who is transmitting

Where they are located, and, if the transmitter is moving, the
report may give a plot of the signal against location

If known, the organizational function of the transmitter

The time and duration of transmission, and the schedule if it
is a periodic transmission

The frequencies and other technical characteristics of their
transmission

If the transmission is encrypted or not, and if it can be
decrypted. If it is possible to intercept either an originally
transmitted cleartext or obtain it through cryptanalysis, the
language of the communication and a translation (when needed).

The addresses, if the signal is not a general broadcast and if
addresses are retrievable from the message. These stations may also
be COMINT (e.g., a confirmation of the message or a response
message), ELINT (e.g., a navigation beacon being activated) or
both. Rather than, or in addition to, an address or other
identifier, there may be information on the location and signal
characteristics of the responder.

Voice
interception

A basic COMINT technique is to listen for voice communications,
usually over radio but possibly "leaking" from telephones or from
wiretaps. If the voice communications are encrypted, the encryption
first must be solved through a process of introelectric diagram in
order to listen to the conversation, although traffic
analysis (q.v.) may give information simply because one station
is sending to another in a radial pattern. It is important to check
for various cross sections of conversation. It is equally important
to make sure that you have the correct x pattern in relation to the
a2 pattern. These can be found by using the signals intelligence
set given to all Naval communications officers and enlisted
personnel with direct access to signals intelligence
communications.

Obviously, the interceptor must understand the language being
spoken. In the Second World War, the United States used volunteer
communicators known as code talkers, who used languages such as Navajo, Comanche and Choctaw, which would be
understood by few people, even in the U.S., who did not grow up
speaking the language. Even within these uncommon languages, the
code talkers used specialized codes, so a "butterfly" might be a
specific Japanese aircraft. British forces made more limited use of
Welsh speakers
for the additional protection.

While modern electronic encryption does away with the need for
armies to use obscure languages, it is certainly possible that
guerrilla groups might use rare dialects that few outside their
ethnic group would understand.

Text
interception

Not all communication is in voice. Morse code interception was
once very important, but Morse code telegraphy is now obsolescent in
the western world, although possibly used by special operations
forces. Such forces, however, now have portable cryptographic
equipment. Morse code is still used by military forces of former
Soviet Union countries.

Specialists scan radio frequencies for character sequences
(e.g., electronic mail) and facsimile.

Signaling channel
interception

A given digital communications link can carry thousands or
millions of voice communications, especially in developed
countries. Without addressing the legality of such actions, the
problem of identifying which channel contains which conversation
becomes much simpler when the first thing intercepted is the
signaling channel that carries information to set up
telephone calls. In civilian and many military use, this channel
will carry messages in Signaling System 7 protocols.

Monitoring friendly
communications

More a part of communications security than true intelligence
collection, SIGINT units still may have the responsibility of
monitoring one's own communications or other electronic emissions,
to avoid providing intelligence to the enemy. For example, a
security monitor may hear an individual transmitting inappropriate
information over an unencrypted radio network, or simply one that
is not authorized for the type of information being given. If
immediately calling attention to the violation would not create an
even greater security risk, the monitor will call out one of the
BEADWINDOW codes[8] used by
Australia, Canada, New Zealand, the United Kingdom, the United
States, and other nations working under their procedures. Standard
BEADWINDOW codes (e.g., "BEADWINDOW 2") include:

Position: (e.g., disclosing, in an insecure or
inappropriate way, "Friendly or enemy position, movement or
intended movement, position, course, speed, altitude or destination
or any air, sea or ground element, unit or force.

Wrong circuit: "Inappropriate transmission.
Information requested, transmitted or about to be transmitted which
should not be passed on the subject circuit because it either
requires greater security protection or it is not appropriate to
the purpose for which the circuit is provided."

Other codes as appropriate for the situation may be defined by
the commander.

In WWII, for example, the Japanese Navy made possible the
interception and death of the Combined Fleet commander, Admiral Isoroku
Yamamoto, by BEADWINDOW 5 and 7 violations. They identified a
key person's movement over a low-security cryptosystem.

ELINT

ELINT from ELectronic Signals
INTelligence refers to intelligence-gathering
by use of electronic sensors. Its primary focus lies on
non-communications signals intelligence. The Joint Chiefs of Staff
define it as "Technical and geolocation intelligence derived from
foreign noncommunications electromagnetic radiations emanating from
other than nuclear detonations or radioactive sources."[2]

Signal identification is performed by analyzing the collected
parameters of a specific signal, and either matching it to known
criteria, or recording it as a possible new emitter. ELINT data are
usually highly classified, and are protected as such.

The data gathered are typically pertinent to the electronics of
an opponent's defense network, especially the electronic parts such
as radars, surface-to-air missile systems,
aircraft, etc. ELINT can be used to detect ships and aircraft by
their radar and other electromagnetic radiation; commanders have to
make choices between not using radar (EMCON), intermittently using it, or using it and
expecting to avoid defenses. ELINT can be collected from ground
stations near the opponent's territory, ships off their coast,
aircraft near or in their airspace, or by satellite.

Complementary
relationship to COMINT

Combining other sources of information and ELINT allows traffic
analysis to be performed on electronic emissions which contain
human encoded messages. The method of analysis differs from SIGINT in
that any human encoded message which is in the electronic
transmission is not analyzed during ELINT. What is of interest is
the type of electronic transmission and its location. For example,
during the Battle of
the Atlantic in World War II, Ultra COMINT was not always available because Bletchley Park
was not always able to read the U-Boat Enigma traffic. But "Huff-Duff" (High Frequency Direction
Finder) was still able to find where the U-Boats were by analysis of
radio transmissions and the positions through triangulation from
the direction located by two or more Huff-Duff systems. The Admiralty was able to use
this information to plot courses which took convoys away from high
concentrations of U-Boats.

Yet other ELINT disciplines include intercepting and analyzing
enemy weapons control signals, or the Identification, friend or foe responses
from transponders in aircraft used to distinguish enemy craft from
friendly ones. ELINT has 3 sub sections, Electronic attack (EA),
Electronic Support (ES), and Electronic Protection (EP)

Role in air
warfare

A very common area of ELINT is intercepting radars and learning
their locations and operating procedures. Attacking forces may be
able to avoid the coverage of certain radars, or, knowing their
characteristics, electronic warfare units may jam
radars or send them deceptive signals. Confusing a radar
electronically is called a "soft kill", but military units will
also send specialized missiles at radars, or bomb them, to get a
"hard kill".

Knowing where each surface-to-air missile and anti-aircraft artillery system is and its
type means that air raids can be plotted to avoid the most heavily
defended areas and to fly on a flight profile which will give the
aircraft the best chance of evading ground fire and fighter
patrols. It also allows for the jamming or spoofing of the enemy's defense network
(see electronic warfare). Good electronic
intelligence can be very important to stealth operations; stealth
aircraft are not totally undetectable and need to know which
areas to avoid. Similarly, conventional aircraft need to know where
fixed or semi-mobile air defense systems are so that they can
shut them down or fly around them.

ELINT and
ESM

Electronic Support Measures (ESM) are really
ELINT techniques, but the term is used in the specific context of
tactical warfare. ESM give the information needed for
Electronic Attack (EA) such as jamming. EA is also
called Electronic Counter-Measures. ESM provides
information needed for Electronic Counter-Counter Measures
(ECCM), such as understanding a spoofing or jamming mode
so one can change one's radar characteristics to avoid them.

ELINT for
meaconing

Meaconing[9] is the
combined intelligence and electronic warfare of learning the
characteristics of enemy navigation aids, such as radio beacons,
and retransmitting them with incorrect information. There are
tales, perhaps apocryphal, that the meaconing was so confusing that
an enemy aircraft landed, quite smoothly, at an airport of the
other side.

MASINT also works with collected signals, but is more of an
analysis discipline. There are, however, unique MASINT sensors,
typically working in different regions or domains of the
electromagnetic spectrum, such as infrared or magnetic fields.
While NSA and other agencies have MASINT groups, the Central MASINT
Office is in the Defense Intelligence Agency
(DIA).

Where COMINT and ELINT focus on the intentionally transmitted
part of the signal, MASINT focuses on unintentionally transmitted
information. For example, a given radar antenna will have sidelobes
emanating from other than the direction in which the main antenna
is aimed. The RADINT (radar intelligence) discipline involves
learning to recognize a radar both by its primary signal, captured
by ELINT, and its sidelobes, perhaps captured by the main ELINT
sensor, or, more likely, a sensor aimed at the sides of the radio
antenna.

MASINT associated with COMINT might involve the detection of
common background sounds expected with human voice communications.
For example, if a given radio signal comes from a radio used in a
tank, if the interceptor does not hear engine noise or higher voice
frequency than the voice modulation usually uses, even though the
voice conversation is meaningful, MASINT might suggest it is a
deception, not coming from a real tank.

See HF/DF
for a discussion of SIGINT-captured information with a MASINT
flavor, such as determining the frequency to which a
receiver is tuned, from detecting the frequency of the beat frequency oscillator of
the superheterodyne receiver.

Defensive signals
intelligence

There are a number of ways that a person or organization can
defend against signals intelligence. There is a delicate balance
between the level of protection and the actual threat, as expressed
in the clichés about "tinfoil hats".

One must begin by defining the threat. It is considerably more
difficult to defend against detection that one is signaling, as
opposed to defending against an opponent discovering the content of
the transmitted message. Appropriate encryption can protect against
content interception, but protecting against signal detection,
especially with a capable opponent, requires measures to make the
signal hard to detect – which can also make it difficult for
the intended recipient to receive the signal. Any defensive program
needs to consider the nature of the threat and the capabilities of
the opponent.

Strong and well-managed
encryption

While encryption is
discussed at length in other articles, it should not be forgotten
that if one wants to protect messages and files, encryption is
central to the defense. As important as the encryption process
itself may be, it is vulnerable if the cryptographic
keys are not strong and protected, and, on computers, that the
cleartext is deleted when not needed.
Seemingly obvious, but too often neglected, is making a practice of
having as little cleartext hard copy as possible.

Appropriate transmission
security

When using radio transmitters, use directional
antennas that have as little "spillover" into sidelobes
as possible. If it is most important to hide the location of a
transmitter, the minimum is to cable the antennas as far as
possible away from the transmitter proper. In many circumstances,
aiming the antenna upward to a satellite will help hide its
location.

The amount of total transmission power needs to be minimized,
and the power preferably should be split into multiple and changing
frequencies using spread spectrum techniques. If
possible, avoid transmitting when hostile SIGINT satellites or
monitoring aircraft are overhead.

If in an urban area, avoid using regular commercial power to
transmit. There are ways in which the signal can "leak" into power
and ground lines. The adversary may turn off power to an area,
which will tell him there is a line-operated transmitter if the
transmission stops, and that there is a battery-powered transmitter
if it continues.

Unintentional radiation on power or ground circuits is a threat
here as well; use appropriate TEMPEST or other techniques.

Protection against
compromising emanations

There are risks that electronic, acoustic, or other information
could "leak" from a computer system or other electronic
communications devices.

The risk

Understanding details of the risks requires a substantial
knowledge of electronics, but a simple example might serve. Many
people have put a radio receiver near a computer, to listen to
music as they work, and discovered that the radio suffered clicks,
squeals, and other interference. These interfering signals are
radiating from various parts of the computer, especially its
display but often also from the power and grounding system. TEMPEST
is the name for one family of protective measures against an
opponent intercepting these emanations and extracting sensitive
information from them.

While not strictly within the scope of protecting against
"leakage", a place where sensitive information is processed or
discussed needs protection against hidden microphones, wiretaps,
and other "bugging". Sometimes, an electronic sweep to verify
TEMPEST compliance reveals the presence of hidden transmitters.
Again, there is probably more suspicion than reality in most cases.
A member of a crime organization, in the middle of a nasty divorce,
or a foreign intelligence agent might have reason to worry, but,
even with the serious questions about warrantless surveillance in
the US and other countries, there is little reason for someone to
go to the risk and expense of illegal surveillance on an ordinary
citizen. TEMPEST is usually associated with direct electromagnetic
radiation from the device, either free-space or through power and
ground lines. TEMPEST generically talks about acoustic isolation,
but that is fairly easily solved through physical security and
noise damping, as well as searches for microphones.

There are several threats that have not been officially defined
in the unclassified literature. Nevertheless, there are some
informed guesses:[11]

NONSTOP is a threat that involves some type of
coupling of compromising RF energy from a classified system, which
"leaks" into an independent RF-transmitting or -recording device
such as cell phones, PDAs, pager, alarm systems. Commercial AM/FM
radios are not considered a risk.

HIJACK is a similar threat of coupling, but to
some type of digital computer or related equipment.

TEAPOT is a very different vulnerability,
which appears to apply to incidental audio modulation of the
backscatter from an RF, typically microwave, directed into the
secure area. A passive resonant cavity bug of
this type was discovered in a Great Seal of the United States
presented by the USSR, but containing a resonant cavity with a wall
that moved with sound in the room, thus imposing frequency
modulation onto the backscattered signal.

Mitigation and
countermeasures

The word TEMPEST itself, and its meaning, are unclassified. Some
of the techniques for measuring the compliance of a piece of
equipment, or whether it is actually emitting compromising
emanations, are classified. A good deal of the information has come
into public view either through Freedom of
Information Act queries,[12] books
talking about interception techniques, inferences drawn from
partially released documents, and straightforward thinking by
electronic engineers. Some documents released fully or partially
under FOIA:

Protection
against side channel attacks and covert channels

A side channel attack is an
unintentional vulnerability of an encryption device, not related to
the encryption algorithm.[18]
Potential vulnerabilities include different processing and thus
transmission speeds for blocks of plaintext with certain
statistical characteristics, changes in power consumption, or
compromising emanations.

Covert
channels are deliberate means to elude communications
security.[19] They
send out an unauthorized signal by stealing bandwidth from a
legitimate, often encrypted channel. One low-bandwidth method would
be to send information by varying the inter-block transmission
times. A steganographic covert channel might use
the low-order bit of pixels in a graphic image, perhaps not even
consecutive pixels, in a manner that would not be obvious to a
person looking at the graphic.